Skip to Content
Author's profile photo Kai Ullrich

SPML in IdM 7.1 – part I

Yesterday I started configuring Identity Services on my notebook. I ran into a couple of issues and wanted to share my experience with the reader.

Let’s start with a short summary of SPML and how it works and what it does. SPML is an http and XML based standard that is designed to implement identity

and provisioning services. Details can be found at the Oasis site or on

OpenSPML . The official documentation to configure SPML based Identity Services is available on SDN. So once you’ve

implemented SAP NetWeaver Identity Services you can access and modify Identity Center data over the network with http. Pretty nice, isn’t it?

So I started to install Virtual Directory Server and then I followed the instructions from the above link. Funny little detail worth mentioning is that you
need Virtual Directory Server in order to generate an ear file but once you’ve installed the ear file on a NetWeaver Java Server the services will run on
that WebAS Java and not on the Virtual Directory Server. This is certainly rather a pro than a con since it helps avoiding unnecessary complexity in your
system landscape. What I don’t like is that the Identity Services are not preinstalled with the Identity Center UI components, for instance.

So a caller accesses the NetWeaver Java Stack via SPML and the SPML servlet deployed there forwards the call to the Identity Center database. So far so good.
When you run through the documentation please keep in mind in the end the service will run on WebAS Java. I don’t know why you need the connection string
to the database on the VDS for creation of the ear file (the WebAS will connect to the IC DB through the DataSource IDM_DataSource you create when you
install the IdM UI) but let’s not focus on minor details like this.

So next step for me was to build a simple SPML client in Java to test everything. A simple standalone Java program would do fine for the moment. I wanted to
do this with Jdk 1.4.2 since my intention was to finally run this on a NetWeaver 7.0 which doesn’t support higher Java versions. So the next challenge was
to find a library that supports Jdk1.4.2 and get all dependant libraries. I also tried OpenSPML version 2 but here I found that NetWeaver Identity Services
only support v1. Ok, here is the the list of jar files I ended up with:

mxopenspml.jar

activation.jar

mail.jar

For some reason, the javax.mail package is needed and this needs in turn activation.jar.

So if you provide these jar files in the classpath then the following Java source file will compile:

import java.net.MalformedURLException;
import java.security.SecureRandom;
import java.util.Iterator;

import org.openspml.client.SpmlClient;
import org.openspml.message.AddRequest;
import org.openspml.message.FilterTerm;
import org.openspml.message.ModifyRequest;
import org.openspml.message.SearchRequest;
import org.openspml.message.SearchResponse;
import org.openspml.message.SpmlResponse;
import org.openspml.util.SpmlException;

public class SpmlTest
{
private SpmlClient client;
private SecureRandom sr = new SecureRandom ();

public SpmlTest (String url, String username, String password)
throws Exception
{

String urlWithPwd = "";

          urlWithPwd = “http://url;<br />          client = new SpmlClient();<br />          client.setUsername(username);<br />          client.setPassword(password);<br />          client.setUrl(urlWithPwd);<br />          client.setTrace(true);<br />               <br />     }<br />     <br />     public void createAddRequest (String asyncMskeyvalue)<br />          throws SpmlException<br />     {     // the VDS needs an identitfier in a LDAP syntax<br />          String identifier = “cn=”asyncMskeyvalue+”,ou=nwidm1,o=ids”;

// create the open spml request
AddRequest request = new AddRequest();

// identify identifier
request.setIdentifier(identifier);

// set special attributes to announce modification of a MX_PERSON
request.setAttribute(“MX-ASYNC-OBJECTCLASS”, “MX_PERSON”);
// In this example we set the DISPLAYNAME attribute of the person
request.setAttribute (“DISPLAYNAME”, “A new display name”);

SpmlResponse response;
// send the request and handle the response
response = client.request(request);
if ((response.getError()==null) &&
(response.getErrorMessage()==null)) {
}
else {
System.out.println (response.getErrorMessage());
}
}

public void createModifyRequest (String asyncMskeyvalue)
throws SpmlException
{
String identifier = “cn=” + asyncMskeyvalue + “,ou=nwidm1,o=ids”;

ModifyRequest mr = new ModifyRequest ();
mr.setIdentifier(identifier);

mr.addModification (“DISPLAYNAME”, “Yet another new display name”);

SpmlResponse response;
// send the request and handle the response
response = client.request (mr);
if ((response.getError()==null) &&
(response.getErrorMessage()==null)) {
}
else {
System.out.println (response.getErrorMessage());
}
}

public static void main (String [] args)
throws Exception
{
          SpmlTest st = new SpmlTest (args , args , args );
          if (“add”.equals (args )) {
               st.createAddRequest (args );
}
          else if (“modify”.equals (args )){
               st.createModifyRequest (args );
}
else System.out.println(“use \’add\’ or \’modify\'”);
}
}

When you call this program provide the user id and password that you provided during generation of the ear file in VDS (don’t use the WebAS user
id / password!).

 

When the SPML client submits the request the WebAS will create an instance of MX_ASYNC_REQUEST in the IC database. If you configured your system correctly then this object will be picked up by the request handler which processes the request:
!https://weblogs.sdn.sap.com/weblogs/images/16628/Bild08-02.jpg|height=421|alt=image|width=645|src=https://weblogs.sdn.sap.com/weblogs/images/16628/Bild08-02.jpg|border=0!

image

I will deal with these questions in the next parts of this series.

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hello Kai, this is a very interesting blog as we might be adapting a setup similar to this any time soon. I would however like to ask what the recommended setup would be when the use case is different. In our setup we are already provisioning to various ABAP AS and Java AS systems. In the future we would like to provision a legacy system that accepts SPML inbound requests. What would the most appropriate setup be for this use case? We are considering using the VDS as the integration point, where we would deploy some java code that could translate incoming requests to SPML, but in principle I suppose one might as well leave the VDS out of the architecture and deploy the java directly on the IdM system?

      Best regards,
      Anders

      Author's profile photo Kai Ullrich
      Kai Ullrich
      Blog Post Author
      Hi Anders,

      in this case I would use the connector interface and program my own client so that you can use it with a toCustom pass. I would decompile the toSPML connector class used by the SAP Prov Framework for this purpose.
      Here is a blog which you might find interesting:

      http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/11914

      Cheers,
      Kai

      Author's profile photo Former Member
      Former Member
      Hi Kai, Anders,

      Just wondering, did you succeed in writing your own generic SPML client (toCustom) pass? Did you really decompile the SAP Prov. Framework toSPML connector class to achieve it?

      Thanks,
      Norman

      Author's profile photo Former Member
      Former Member
      Hi Kai,

      very interesting article. But unfortunately I have problems to get this working.

      I tried all I could find at https://openspml.dev.java.net/downloads.html, but none of the SpmlClient classes had a method "setUsername". And there was no file called mxopenspml.jar either.

      Where did you get your OpenSPML version from?

      Best regards,
      Hans Benedict

      Author's profile photo Kai Ullrich
      Kai Ullrich
      Blog Post Author
      Hi Hans,

      the jar files are in the lib directory of the Virtual Directory Server.

      Cheers,
      Kai

      Author's profile photo Former Member
      Former Member

      Hi Kai,

      Will it be needing Soap.jar? If yes, then which version?

      Regards,

      Shivam